Analysis
-
max time kernel
129s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:48
Static task
static1
Behavioral task
behavioral1
Sample
145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exe
Resource
win10v2004-en-20220113
General
-
Target
145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exe
-
Size
92KB
-
MD5
2830bbc806f9b368b3a551429e825724
-
SHA1
463b16b51a8221414df3287a1d243e4f13c6bf0d
-
SHA256
145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2
-
SHA512
82577c055bf7492c80d6181209a338a3dbd361fa39129c7b27cc92ae930bb98955fcf5a6e9be0b86eaf7ceeb147b51f86c939a4ce220fa362a0539dcbd044187
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1468 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1020 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exepid process 1296 145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exedescription pid process Token: SeIncBasePriorityPrivilege 1296 145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.execmd.exedescription pid process target process PID 1296 wrote to memory of 1468 1296 145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exe MediaCenter.exe PID 1296 wrote to memory of 1468 1296 145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exe MediaCenter.exe PID 1296 wrote to memory of 1468 1296 145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exe MediaCenter.exe PID 1296 wrote to memory of 1468 1296 145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exe MediaCenter.exe PID 1296 wrote to memory of 1020 1296 145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exe cmd.exe PID 1296 wrote to memory of 1020 1296 145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exe cmd.exe PID 1296 wrote to memory of 1020 1296 145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exe cmd.exe PID 1296 wrote to memory of 1020 1296 145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exe cmd.exe PID 1020 wrote to memory of 844 1020 cmd.exe PING.EXE PID 1020 wrote to memory of 844 1020 cmd.exe PING.EXE PID 1020 wrote to memory of 844 1020 cmd.exe PING.EXE PID 1020 wrote to memory of 844 1020 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exe"C:\Users\Admin\AppData\Local\Temp\145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\145ce0583a517d53206d9a9819d6b7a774b8fd2905a9ed57264aa999ea018fa2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
01cff6440bf95bbfa21236b10b8b1188
SHA108824e66f2011570d60df2860fbbc29805f941b6
SHA256aba0bc2a7f1c918371d84c0a2ab7c4f5089fd95e705c62a758064ebc3cd6894b
SHA51239812d81cb9e63ab6c8e021afc49aa40ee5c2504c82d8c1f4b3894abf0d83089a545350e452e74f952bdef037221ec4cb653de9196c9c45b2a0abb6ec30d6b79
-
MD5
01cff6440bf95bbfa21236b10b8b1188
SHA108824e66f2011570d60df2860fbbc29805f941b6
SHA256aba0bc2a7f1c918371d84c0a2ab7c4f5089fd95e705c62a758064ebc3cd6894b
SHA51239812d81cb9e63ab6c8e021afc49aa40ee5c2504c82d8c1f4b3894abf0d83089a545350e452e74f952bdef037221ec4cb653de9196c9c45b2a0abb6ec30d6b79